Ubuntu
cloud-init package

cloud init write netrule file may modified permissions of /dev/null

Bug #2011783 reported by wenao
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-init (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

cloud init network configure can write udev rule file: etc/udev/rules.d/70-persistent-net.rules
but this file may be exist and link to /dev/null, This means that the user has disabled the rule file,(https://man7.org/linux/man-pages/man7/udev.7.html), but cloud init write this file without check,
modified permissions of /dev/null from 666 to 644, Causes normal(no root) users to have no permission to wirite to /dev/null (eg: echo hello > /dev/null)

so we want cloud init have a check before write rules file (function render_network_state in cloudinit/net/sysconfig.py
and cloudinit/net/eni.py),if udev rule file link to /dev/null, just return or unlink and write

Daniel Manrique (roadmr)
affects: canonical-identity-provider → cloud-init (Ubuntu)
Revision history for this message
James Falcon (falcojr) wrote :

Are you wanting to disable cloud-init from configuring the network entirely? If so, that can be done following these instructions:
https://cloudinit.readthedocs.io/en/latest/reference/network-config.html#disabling-network-configuration

Otherwise, you're essentially asking to have cloud-init partially configure the network, but ignore the parts you want to keep separate. Can you explain the use case for such a setup?

Also, please attach the resulting tarball from "cloud-init collects-logs".

Changed in cloud-init (Ubuntu):
status: New → Incomplete
Revision history for this message
wenao (wenaojinkang) wrote :

>> Are you wanting to disable cloud-init from configuring the network entirely?
No,

We have a case can explain this, one user has a vm image, which is configured with file /etc/udev/rules.d/70-persistent-net.rules linked to /dev/null, this is a normal operation. According to udev specifications, the user wants to disable this rule file. After creating an instance using this image, Cloudinit wrote to the udev file while configuring the network, but the file lined to /dev/null, and the permissions for the /dev/null were unexpectedly modified,(from 666 in most linux to 644), so we expect cloudinit to make check before configuring network write files to udev file,(Because this file is allowed to be linked to /dev/null according to the specification), Perhaps cloudinit can check if it is linked to /dev/null, if yes, unlink it before write.
Thanks

Revision history for this message
James Falcon (falcojr) wrote :

Are you able to attach the logs? What cloud/OS is this running on?

Revision history for this message
wenao (wenaojinkang) wrote (last edit ):

I encountered this problem on Alibaba Cloud instance,OS system is rhel 8.7
Step 1: I have a kvm guest image, the file /etc/udev/rules.d/70-persistent-net.rules linked to /dev/null
[root@rhel8test ~]# ls -al /etc/udev/rules.d/70-persistent-net.rules
lrwxrwxrwx. 1 root root 9 Nov 25 17:12 /etc/udev/rules.d/70-persistent-net.rules -> /dev/null
[root@rhel8test ~]# cloud-init --version
/usr/bin/cloud-init 22.1-5.el8

The purpose of linked to /dev/null to disable this rule and not allow the udevd service to resolve it, and the permissions for /dev/null in kvm image is 666

Step 2: Create an instance with this image
Step 3: After logging in to the instance, I found that the permissions for/dev/null have changed to 644, and there is such a print in the cloud init log

[root@rhel8test ~]# cat /var/log/cloud-init.log
...
util.py[DEBUG]: Writing to /etc/udev/rules.d/70-persistent-net.rules - wb: [644] 96 bytes
...

so, we expect cloud-init to check this situation before writing udev files when configuring the network.

Revision history for this message
James Falcon (falcojr) wrote :

This issue is fixed by https://github.com/canonical/cloud-init/pull/2076

Changed in cloud-init (Ubuntu):
status: Incomplete → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cloud-init - 23.2-0ubuntu1

---------------
cloud-init (23.2-0ubuntu1) mantic; urgency=medium

  * d/control: Remove pep8 dependency. It is no longer used.
  * Upstream snapshot based on 23.2.
    List of changes from upstream can be found at
    https://raw.githubusercontent.com/canonical/cloud-init/23.2/ChangeLog
    - Bugs fixed in this snapshot: (LP: #2011783, #2008888, #1854594, #2016350)
      (LP: #1881925, #2013967, #2011291)

 -- Alberto Contreras <email address hidden> Wed, 24 May 2023 19:06:03 +0200

Changed in cloud-init (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.